Closed Bug 1309690 Opened 7 years ago Closed 6 years ago

signTextJS plus not working with Firefox 50.0beta due to removal of API getUsagesString from nsIX509Cert

Categories

(Firefox :: Extension Compatibility, defect)

Product:
Firefox
Component:
Extension Compatibility
Version:
50 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: javier--Lx3u0NnX4Eug3hq7uRufuMOjDIwrH7, Unassigned)

References

Details

(Keywords: regression)

Attachments

(1 file)

Page to test signature
363 bytes, text/html
Details 
I have received this bug report (https://github.com/jasp00/signTextJS/issues/1):

> Hello, it seems that signTextJS plus 0.8.5 is not working with Firefox
> 50.0beta. It gives "TypeError"
> (https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Unexpected_type).
> Also it is not working with Firefox 51.0a2 (2016-10-09) (32 bits). It gives
> "signtextjsplus:Error: Invalid argument" and "signtextjsplus:TypeError:
> domWindow.crypto is undefined".

I have not tried Firefox beta myself. I do not see anything related in the release notes (https://developer.mozilla.org/en-US/Firefox/Releases/50). Could you confirm if this regression is intended?
I installed the add-on but how to generate/reproduce the error?
Flags: needinfo?(javier--Lx3u0NnX4Eug3hq7uRufuMOjDIwrH7)
Try to call window.crypto.signText function.
Attached file Page to test signature 
If you have a certificate, load the attached testing page, push the button, and sign the message. The result should display in an alert box.
Flags: needinfo?(javier--Lx3u0NnX4Eug3hq7uRufuMOjDIwrH7)
Do I need to generate and install my own cerf in FF to test the page?
I guess you could install a self-signed certificate. You may want to try a free certificate instead, such as one from StartCom (https://www.startssl.com/).
SignTextJS also does not work in beta, 50.0b10: https://github.com/mozkeeler/signTextJS/issues/45
This add-on has 88 683 Average Daily Users. It is the only way to use crypto.signText in Firefox to sign content. Please help
Regression range:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=de179cfc917a5b747c1a7559ad08c233e8c419f8&tochange=3d09e38954064b41dbc0a9387b5c5a205bf21e15

David Keeler — bug 1284946 - remove usages-related APIs from nsIX509Cert r=Cykesiopka,Felipe,jcj

"remove usages-related APIs from nsIX509Cert
nsIX509Cert provided the APIs getUsagesArray, requestUsagesArrayAsync, and
getUsagesString."

The add-on author needs to update his add-on to use the new API asyncVerifyCertAtTime from nsIX509CertDB.

David, any advice?
Blocks: 1284946
Flags: needinfo?(dkeeler)
Keywords: regression
Summary: signTextJS plus not working with Firefox 50.0beta, related to window.crypto → signTextJS plus not working with Firefox 50.0beta due to removal of API getUsagesString from nsIX509Cert
Javier, could you update your add-on?
Flags: needinfo?(javier--Lx3u0NnX4Eug3hq7uRufuMOjDIwrH7)
(In reply to Loic from comment #7)
> The add-on author needs to update his add-on to use the new API
> asyncVerifyCertAtTime from nsIX509CertDB.

Yep - that's right. Here's what the certificate viewer in Firefox does:

https://dxr.mozilla.org/mozilla-central/rev/3f4c3a3cabaf94958834d3a8935adfb4a887942d/security/manager/pki/resources/content/certViewer.js#148

Another option would be to remove the code that does it altogether (as far as I can tell it's just for display purposes).
Hi David,
how should we understand you comment? Did you mean that you would fix SignTextJS so that it could sign text in FireFox 50 (https://github.com/mozkeeler/signTextJS/issues/40 and https://github.com/mozkeeler/signTextJS/issues/45)? 
Or that you will not fix SignTextJS, but that hopefully JSP should fix SignTextJS Plus (https://github.com/jasp00/signTextJS/issues/1) and from FireFox 50 on only SignTextJS Plus would be the only supported extension for signing text?
bug 1083118 was closed with resolution - "use the addon in the link in the URL field" and the URL was 
https://addons.mozilla.org/en-US/firefox/addon/signtextjs/


does it mean that now the solution is to use this plugin:
https://addons.mozilla.org/en-US/firefox/addon/signtextjs-plus/
Flags: needinfo?(dkeeler)
(In reply to Petko from comment #10)
> Hi David,
> how should we understand you comment? Did you mean that you would fix
> SignTextJS so that it could sign text in FireFox 50
> (https://github.com/mozkeeler/signTextJS/issues/40 and
> https://github.com/mozkeeler/signTextJS/issues/45)? 
> Or that you will not fix SignTextJS, but that hopefully JSP should fix
> SignTextJS Plus (https://github.com/jasp00/signTextJS/issues/1) and from
> FireFox 50 on only SignTextJS Plus would be the only supported extension for
> signing text?

Oh, I'm sorry - I thought we were just talking about SignTextJS Plus. SignTextJS is not an officially-supported method of preserving this functionality. It was just a stop-gap measure while websites moved away from the non-standard API. If I have time, I'll update it, but I can't promise anything.
Flags: needinfo?(dkeeler)
We have an entire insurance company who cannot do business today after their browsers auto-updated.

Given that Firefox has yet to deliver an API that performs the job of crypto.signText, we have no option but to remain on crypto.signText in the short term.

Please fix this urgently.
Version 0.8.6 works around this bug, and was released November 26. You may wait until the review process is done or download the add-on now (https://addons.mozilla.org/en-US/firefox/addon/signtextjs-plus/versions/0.8.6).
Flags: needinfo?(javier--Lx3u0NnX4Eug3hq7uRufuMOjDIwrH7)
(In reply to Graham Leggett from comment #15)
> It appears
> https://addons.mozilla.org/en-US/firefox/addon/signtextjs-plus/versions/0.8.
> 6 is unsigned?

Probably because the latest version is too recent, maybe signature is pending.
How can the code be available for download before the code is signed? Not understanding the workflow here.
The issue is not about the signature but the review. There are 2 steps when hosting an add-on on AMO: signing and reviewing. You can sign only your add-on and host it in another place, like your own website.
signTextJS Version 0.8.6 has been signed but not reviewed.
The update has passed review on AMO now.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.